It appears that Microsoft have had a bit of a security scare, though thankfully they have worked fast to make sure everything should now be okay. It is though, a leak that could have potentially put their users at risk.
This leak, or “disclosure” was revealed in a Security Advisory by the company:
“Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.”
As the advisory states, with the accidental disclosure of the private keys, this would open customers up to potential man-in-the-middle attacks where an attacker reroutes communications between the user of the site and the site itself. This attacker would then have access to the data which should have been securely handled.
With Microsoft acting quickly and revoking the certificate connected to these private keys everything should now be fine. As to why the company accidently let the private keys be disclosed though is something that will have to be investigated, and hopefully it will not happen again.
Security issues like this are always big news when it comes to big companies like Microsoft because of the amount of private data and of course passwords. So it is not only the fact that this information could be intercepted, but also the trust we have in the company.
Does this disclosure of private keys worry you? Let us know your thoughts below.